How Android’s UI Security is Undermined by Accessibility

Kalysch A, Bove D, Müller T (2018)

Publication Language: English

Publication Type: Conference contribution, Conference Contribution

Publication year: 2018

Publisher: ACM International Conference Proceedings Series (ICPS)

City/Town: New York, NY, USA

Pages Range: 2:1--2:10

Conference Proceedings Title: Proceedings of the 2nd Reversing and Offensive-oriented Trends Symposium

Event location: Vienna AT

ISBN: 978-1-4503-6171-2/18/11

URI: https://dl.acm.org/citation.cfm?id=3289597

DOI: 10.1145/3289595.3289597

Abstract

Android’s accessibility API was designed to assist users with dis-
abilities, or preoccupied users unable to interact with a device, e.g.,
while driving a car. Nowadays, many Android apps rely on the
accessibility API for other purposes, including password managers
but also malware. From a security perspective, the accessibility
API is precarious as it undermines an otherwise strong principle of
sandboxing in Android that separates apps. By means of an acces-
sibility service, apps can interact with the UI elements of another
app, including reading from its screen and writing to its text fields.
As a consequence, design shortcomings in the accessibility API and
other UI features such as overlays have grave security implications.
We reveal flaws in the accessibility design of Android allowing
information leakages and denial of service attacks against fully
patched systems. With an enabled accessibility service, we are able
to sniff sensitive data from apps, including the password of An-
droid’s own lock screen. To evaluate the effectiveness of our attacks
against third-party apps, we examined the 1100 most downloaded
apps from Google Play and found 99.25 % of them to be vulnera-
ble. Although app-level protection measures against these attacks
can be implemented, e.g., to prevent information leakage through
password fields, the number of affected apps proves that these
kind of vulnerabilities must be tackled by Google rather than app
developers.
From December 2017 to March 2018, we submitted seven bug
reports to Google, from which three have been marked as won’t fix
while four are progressed but ranked with either low severity or
no security bulletin class. We conclude our paper with a list of best
practices for app-level protections for the time those bugs remain
unfixed by Google.

Authors with CRIS profile

Anatoli Kalysch Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Davide Bove Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Tilo Müller Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)

How to cite

APA:

Kalysch, A., Bove, D., & Müller, T. (2018). How Android’s UI Security is Undermined by Accessibility. In Proceedings of the 2nd Reversing and Offensive-oriented Trends Symposium (pp. 2:1--2:10). Vienna, AT: New York, NY, USA: ACM International Conference Proceedings Series (ICPS).

MLA:

Kalysch, Anatoli, Davide Bove, and Tilo Müller. "How Android’s UI Security is Undermined by Accessibility." Proceedings of the ROOTS' 18, Vienna New York, NY, USA: ACM International Conference Proceedings Series (ICPS), 2018. 2:1--2:10.

BibTeX: Download